[132773] in cryptography@c2.net mail archive
Re: once more, with feeling.
daemon@ATHENA.MIT.EDU (Arshad Noor)
Mon Sep 8 16:27:42 2008
Date: Mon, 08 Sep 2008 12:39:41 -0700
From: Arshad Noor <arshad.noor@strongauth.com>
To: Paul Hoffman <paul.hoffman@vpnc.org>
CC: cryptography@metzdowd.com
In-Reply-To: <p06240855c4eb10a5daba@[10.20.30.152]>
Paul Hoffman wrote:
>
> A less extreme solution would be to make the warning the user sees on a
> mixed-content page more insulting to the bank. "This page contains both
> encrypted and non-encrypted content and is inherently insecure. The
> owner of this web site has clearly made a very poor security decision in
> showing this page to you. It is likely that other pages on this site
> also have similarly poor security. Knowing this, do you wish to continue
> anyway?"
>
A more optimal solution is to have this vulnerability accepted by
the OWASP community as a "Top 10" security vulnerability; it will
have the appropriate intended effect since mitigation to the OWASP
defined vulnerabilities is required in PCI-DSS:
"6.5 Develop all web applications based on secure coding guidelines
such as the Open Web Application Security Project guidelines"
https://www.pcisecuritystandards.org/security_standards/pci_dss_download.html
http://www.owasp.org/index.php/Top_10_2007
Arshad Noor
StrongAuth, Inc.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
